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Abstract 

We investigate the power of quantum computers when they are required to return an 
answer that is guaranteed correct after a time that is upper-bounded by a polynomial 
in the worst case. In an oracle setting, it is shown that such machines can solve 
problems that would take exponential time on any classical bounded-error probabilistic 
computer. 



1 Introduction 

According to the modem version the Church-Turing thesis, anything that can be computed 
in polynomial time on a physically realisable device can be computed in polynomial time 
on a probabilistic Turing machine with bounded error probability. This belief has been 
seriously challenged by the theory of quantum computing. In particular, it was shown 



by Peter Shor that quantum computers can factor large numbers in polynomial time [|1T 
which is conjectured to be impossible for classical devices. However, Shor's algorithm is 
polynomial-time in the expected sense: there is no upper bound on how long it will run 
on any given instance if we keep being unlucky. In this paper, we address the question of 
Exact Quantum Polynomial Time, which concerns the problems that quantum computers 
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can solve in guaranteed worst-case polynomial time with zero error probability. Note that 
this strong requirement would make randomness useless for classical machines: anything you 
can compute on a classical probabilistic computer with zero error probability in guaranteed 
worst-case polynomial time can be done in polynomial-time by a deterministic computer — 
simply run the probabilistic algorithm with an arbitrarily fixed sequence of coin "tosses" . 

The study of Exact Quantum Polynomial Time is not new. The very first algorithm ever 
designed to demonstrate an advantage of quantum computers over classical computers, due 
to Deutsch and Jozsa 0, was of this Exact nature. However, it solved a problem that could 
be solved just as efficiently on a classical probabilistic computer, provided an arbitrarily 
small (one-sided) error probability is tolerated. Here we demonstrate for the first time the 
existence of a relativized problem that can be solved in Exact Quantum Polynomial Time, 
yet it would require exponential time to obtain a correct answer with probability significantly 
better than 1/2 by any classical probabilistic (or deterministic) algorithm. 

When it comes to decision problems, the well-known classical classes P, ZPP and 



BPP |10[ give rise to their natural quantum counterparts QP, ZQP and BQP, respec- 
tively. A decision problem belongs to QP if it can be solved by a quantum algorithm whose 
answer is guaranteed correct and whose running time is guaranteed to be bounded by some 
fixed polynomial. It is in ZQP if it can be solved with zero error probability in quantum 
polynomial time: the answer is still guaranteed correct, but the running time is required 
to be polynomial merely in the expected sense (for each possible input). This corresponds 
to the classical notion of Las Vegas algorithms. Finally, the decision problem is in BQP 
if it returns the correct answer with probability better than 2/3 on all inputs, after a time 
that is bounded by a polynomial. (In this case, it makes no difference whether we consider 
expected or worst-case time.) This corresponds to the classical notion of Monte Carlo algo- 
rithms. Please note that the name "EQP" has been used by different authors, sometimes 
to mean QP and sometimes to mean ZQP |Q. To avoid confusion, we shall refrain from 
using it at all. 

The following results are known in quantum complexity theory: P C QP 
ZPP C ZQP, BPP C BQP C P#P [ig, I and BQP^^^ = BQP ||. It is believed that 



ZQP ^ BPP because Shor's quantum factorization algorithm ITJ] allows to recognize 

F = {{x,y) \ X has a prime divisor smaller than y} 

in ZQP, whereas if F G BPP then factorization can be accomplished in polynomial 
expected time by a classical Las Vegas algorithm. Moreover, with appropriate oracles, it 
is known that QP ^ NP (and therefore QP ^ ZPP 0), BQP ^ BPP [g and 
NPnco-NP 2 BQP m. 
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A major open question concerns the power of the weakest of all polynomial-time quantum 
classes, QP, compared to that of the strongest of all polynomial-time classical probabilistic 
classes, BPP. Could it be that QP C BPP? Or perhaps rather BPP C QP? Or are these 
two classes uncomparable? What about relativized versions of this question? Clearly any 
oracle under which P = PSPACE is so that QP = BPP as well, but what about oracles 
that separate QP from BPP? Even though this paper provides an oracle under which there 
is a problem that can be solved in Exact Quantum Polynomial Time but requires exponential 
time to be solved with probability better than 2/3 by any classical probabilistic algorithm, 
we do not solve the QP versus BPP question because our problem is not a decision problem. 
Unfortunately, there is no obvious way to turn our problem into a decision problem, in the 
way that the Deutsch-Jozsa algorithm (which did not concern a decision problem either) was 
turned into a relativized decision problem to separate QP from NP Thus we leave the 
separation of QP from BPP as an open problem. 

We assume in this extended abstract that the reader is familiar with the basic notions of 
quantum computing [|, ^. 



2 The Problem and its Quantum Solution 



We consider a computational problem inspired from Simon's problem [T^. Let n > 2 be any 
given integer. Let © : {0, 1}" x {0, 1}" {0, 1}" denote the bitwise exclusive-or. Define a 
dot product (•) : {0, 1}" x {0, 1}" ^ {0, 1} by a ■ 6 = (EILi "j^i) "^'^^ 2 where a = a„ . . . ai 
and b = bn ■ ■ - bi. 



Given: An integer n>2 and a function / : {0, 1}" — > {0, 1}"" ^. 

Promise: There exists a nonzero element s G {0,1}" such that for all x, y G {0,1}", 
/(x) = /(y) if and only ii x = y oi x = y ® s. 

Problem: Find a nonzero element z G {0, 1}" such that s ■ z = Q. 



Simon's original problem is equivalent to the problem of determining the unknown 
string s. Our problem is reducible to that one, since if we know s we can easily find a 
nonzero element z G {0, 1}" with s ■ z = Q. However, Simon's quantum algorithm cannot 
be used to solve our problem because it finds s in a time that is polynomial merely in the 
expected sense. There is a nice group-theoretic interpretation for our problem, and since 
that interpretation also helps simplify the notation, we shall use it. Hence, we reformulate 
the problem as follows. 
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Let Z2 = {0, 1} denote the field of two elements. For any given integer n > 2, let G denote 
the group (Z2, ©). For any subgroup K ^ G, let K-^ — {g & G \ g ■ k — for ail k & K} 
denote the orthogonal subgroup. 

Given: An integer n > 2 and a function / : G = Z2 ^ {0, l}"^-*^. 

Promise: There exists a subgroup H — {0, s} of order 2 such that / is constant and distinct 
on each coset of H. 

Problem: Find a nonzero member z of the orthogonal subgroup H^. 

For each value in the image of /, there are two preimages. More interesting and crucial 
for our algorithm we also have that, for each value y G {0, there are exactly four 
values in G for which / evaluates to either yO or yl. These four values form two distinct 
cosets of H. 

Before giving the quantum algorithm for solving the problem, we state the notation used 
in the following. For any subset A C. G, let \A) denote the equally- weighted superposition 
— ^ X^ag^ I a). In particular, if Hg is a coset of H, then \Hg) denotes the superposition 

j^{\9) + \g®s)). 

Let W2 denote the one-bit Walsh- Hadamard transform, W2 = (i _i) , and let W2 
denote the Walsh- Hadamard transform applied on each bit of a system of n bits. The result 
of applying W2 to an n-bit register \w) is the superposition J2x(^{o,i}"{~^)^'^\^) ■ Finally, 
let Z = ( -1 ) denote the conditional sign-shift transform. Our quantum algorithm uses no 
other transforms than Wg, Z, and those needed to evaluate the function /. The evaluation 
of function / is made reversible by mapping \x)\y) to \x)\y ® f{x)). Note that a second 
application of this process will reset the second register since ® f{x) ® f{x)) — \x)\y). 
The complete quantum algorithm is as follows. 

Orthogonal subgroup member algorithm 

1. Initiahze the system to be in the zero-state |0)|0) where the first register is an n-bit 
register and the second is an {n — l)-bit register. Initially, apply the transform W2 
to the first register, producing an equally weighted superposition of all elements in the 
group G, -^j:^^^\g)\Q). 

2. Compute / in quantum parallelism and store the result in the second register, produc- 
ing ^ Egec 
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3. Measure all bits of the second register but the least significant, yielding 

j=,{\Hg,)\f{gi)) + \Hg,)\f{g,))) 
for some gi,g2 & G with gi® g2 ^ H. 

4. Apply the conditional sign-shift transform Z on the least significant bit in the second 
register, producing (up to an overall sign-shift) ^(^Hgi)\f{gi)) - \Hg2)\f{g2))) ■ 



5. Compute / again in order to reset the second register, producing \\Hgi) — \Hg2)j |0). 

6. Apply W2 to the first register again. 

7. Measure the first register. Let z* be the outcome. 

We claim that this algorithm returns a nonzero member of the orthogonal subgroup, that 
is, that z* is a nonzero element in H^. Before proving this claim, we provide an example of 
the algorithm. 

Example Let n = 4 and G = 1\. Let the unknown string s be 0101 and the unknown 
subgroup H = {0, s}. The function / is constant on each coset of H, so we need only specify 
it on a transversal T for H, say, 



T 
/ 



0000 0001 0010 0011 1000 1001 1010 1011 
000 010 100 110 101 001 oil 111 



After the second step of the quantum algorithm, the system is in a superposition of all 
elements in the group, | J2geG \g)\fig))- Suppose we measure the string 01 in the third step. 
This projects the superposition to 

^l^(lOOOl) + 10100)) |010) + (|1010) + |llll))|011)j. 

Applying the conditional sign-shift transform and uncomputing / produces 

^(|0001) + |0100) - |1010) - |1111))|000), 
and applying the final Walsh-Hadamard transform gives the superposition 

^(|0010) + |1000) - |0101) - |1111))|000). 

It can easily be verified that each of the four basis-states in this superposition holds a nonzero 
member of the orthogonal subgroup in the first register. □ 
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Theorem 1 Let n > 2 and G = Ia^. Let H ^ G he an unknown subgroup of order 2. 
Let f : G ^ {0, 1}"^^ be any function constant and distinct on each coset of H . Then the 
quantum algorithm given above finds a nonzero member of in time polynomial in n and 
in the time to compute f. 

The theorem foUows from the simple lemma below, by observing that only nonzero mem- 
bers of the orthogonal subgroup can have nonzero amplitude after completing step 6. 

Lemma 2 Let G = 11^ '^^'^ ^ — {0; -s} ^ G. Let gi, g2 ^ G be any two elements in G such 
that gi® g2 ^ H . Let 

\^) = ^2{^-^{\Hgi)-\Hg, 

Then, for all x & G, 



±-7=T if X - 8 = andx- {gi © 512) = 1 



otherwise 



Proof The amplitude of state |a;) in superposition lip) is given by 



2 

This can be factorized as 

1 



.1)91-^1 + 1 _(_l)(sr 



2V¥ 

and the lemma follows. □ 

3 Classical Lower Bound 

In this section, we prove that any classical algorithm that would try to solve the above 
problem in subexponential time would have probability exponentially close to 1/2 to give a 
correct answer, which is essentially no better than guessing an answer at random. This is 
captured in the following theorem and its immediate corollary. 



Theorem 3 Consider an integer n > 2 and pick a function f : {0, 1}" {0, l}"^-*^ at 
random according to the uniform distribution among all functions that satisfy the promise 
that there exists an s & {0, 1}"^ such that f{x) = f{y) if and only if xQ)y = s for all distinct 
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X and y in {0,1}". Consider an arbitrary classical algorithm that has access to f as an 
oracle. Assume the algorithm makes no more than 2"/3 calls on its oracle. Then there exists 
an event £ such that (1) Prob[£^] < 2~"/^ and, (2) If 8 does not occur then the probability 
that the algorithm returns a nonzero z G {0, 1}" such that s ■ z = Q is less than ^ + 2""/^. 

Proof This theorem follows directly from Lemmas ^ and which are stated and proven 
below. □ 



Corollary 4 The probability that the algorithm mentioned in Theorem^ will return a correct 
answer after making no more than 2"/^ calls on its oracle is less than | + l/2("/^)~^. 

To establish these results, assume that the algorithm has queried its oracle on inputs 
xi, X2, ■ ■ ■ , Xk for Xi e {0, l}*^, 1 < i < k < 2"/'^. Without loss of generality, assume 
that all the queries are distinct. Let yi, y2, ■ ■ ■ , be the answers obtained from the oracle, 
i.e. yi = f{xi) for each i. Define the event S as occurring if there exist i and j,l<i<j<k, 
such that yi = yj. Clearly, the algorithm has discovered the secret s when S occurs since in 
that This allows the algorithm to produce a correct solution with certainty. 

We have to prove that S is very unlikely and that, unless S occurs, the algorithm has so 
little information that it cannot return an answer that is significantly more probable to be 
correct than a random n-bit string. 

Let X = {xi, X2, . ■ . ,Xk} be the set of queries to the oracle and let Y = {yi,y2, ... ,yk} 
be the corresponding answers. Let W = {xi (B Xj \1 < i < j < k} and let m < k"^ he 
the cardinality of W. Note that S occurs if and only if s & W since yi = yj if and only if 
Xi © Xj = s. If S does not occur, we say that any nonzero n-bit string s ^ W is compatible 
with the available data because it is not ruled out as possible value for the actual unknown s. 
Similarly, given any compatible s, we say that a function / : {0, 1}" —>■ {0, l}'^"^ is compatible 
with the available data (and with s = s) if f{xi) = yi for all i, and if /(x) = f{y) if and only 
if X (By = s for all distinct x and y in {0, 1}". The following lemma says that all compatible 
values for s are equally likely to be correct given the available data, and therefore the only 
information available about s is that it is one of the compatible values. 

Lemma 5 Assume S has not occurred. There are exactly {2'"' — m — l){{2"'"^ — k)\) functions 
that are compatible with the available data. For each compatible string s, exactly (2""-*^ — A;)! 
of those functions are also compatible with s = s. 

Proof Consider an arbitrary compatible s. Define X' = {x (B s \ x & X}. It follows from 
the compatibility of s that X n X' = (J). Let Z = {0, 1}" \ (X U X'), where "\" denotes 
set difference. Note that rc e Z if and only if x (B s G Z. Partition Z in an arbitrary way 
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into Zx U Z2 so that x G if and only if x © s G Z^- The cardinahties of Zx and Z2 are 
(2"-2A;)/2 = T'-^-k. Now let F' = {0, \Y~^\Y , also a set of cardinality T"'^ -k. To each 
bijection h : Z\ —^Y' there corresponds a function / compatible with the available data and 
s = s defined by 

\i X = Xi for some \ <i <k 
\i X = Xi® s for some \ <i <k 
if X E Zi 
if X E Z2. 

The conclusion follows from the facts that there are (2"~^ — k)\ such bijections, each possible 
function compatible with the available data and s = s is counted exactly once by this process, 
and there are 2^ — m — 1 compatible choices for s, each yielding a disjoint set of functions 
compatible with the available data. □ 

Lemma 6 Event £ has probability of occurrence smaller than 2""/'^ provided the oracle is 
probed k < 2"/^ times. 

Proof Since all nonzero values for s are equally likely a priori, and since event S occurs if 
and only if s G W^, it follows that 

Prob[f ] = m/(2" - 1) < A;V2" < 2""/^ 

where m is the cardinality of W. □ 

Lemma 7 // event £ does not occur then the probability that the algorithm returns a nonzero 
z G {0, l}*^ such that s ■ z = Q is less than | + 2^"/'^, provided the oracle is probed k < 2"'^^ 
times. 

Proof Assume that event £ has not occurred after k < 2"'^^ probes to the oracle. Consider 
an arbitrary nonzero z G {0, 1}". Let Az = {u & {0, 1}" \ u ■ z = 0}, 

B, = {ueA,\u^ 0" and u ^ W} 

and let bz be the cardinality of Bz- It is well-known that Az contains 2"~^ elements, and 
therefore bz < 2"~^ — 1. We know from Lemma ^ that the only knowledge about s that 
is available to the algorithm is that it is nonzero and not in W. Therefore, 2; is a correct 
answer if and only if s G -B2, and the optimal strategy for the algorithm is to return some z 



fix) 
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that maximizes bz- Given that there are 2" — 1 — m possible values for s, the probability of 
success (conditional to event S having not occurred) is 

b, 2"-i-l 2"-^ 2"-i 1/2 1 „/o 



m 



1-m 2" - A;2 - 2" - 2^3 i _ 2-"/3 - 2 



provided n > 3. The Lemma holds also when n = 2 since in this case at most one question 
is allowed (2^/^ < 2), which gives a success probabihty smaller than 1/2 for all possible 
algorithms! □ 



4 Concluding Remarks and Open Problems 

In the quantum algorithm, we performed a partial measurement at step 3. This step is 
not necessary, as we still will obtain a nonzero member of the orthogonal subgroup if we 
only perform steps 1, 2 and 4-7. We have, however, included it here to emphasize a group- 
thcorctic interpretation of the algorithm. The algorithm (and the notion of orthogonal 
subgroups) can be generalized to arbitrary finite Abelian groups of smooth order. The 
requirement of smoothness is sufficient to be able to perform the quantum Fourier transform 
(step 1) and the conditional phase-changes (step 4) exactly in polynomial time. 

Theorem 8 Let G he any Abelian group of smooth order m. Let H ^ G be an unknown 
subgroup of known index r, r > 1. Let / : G — >• {0, . . . , r — 1} be any function constant and 
distinct on each coset of H . Then there exists a quantum algorithm that finds a nonzero 
member of in time polynomial in log(m) and in the time to compute f. 

An interesting open question related to ours and Simon's algorithms is whether s can 
be found in Exact Quantum Polynomial Time. From a complexity-theoretic point of view, 
an oracle separation of QP and BPP is still an open question since our problem is not a 
decision problem. 
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